aboutsummaryrefslogtreecommitdiffstats
path: root/lib/crypto/gpg/gpgbin/keys.go
diff options
context:
space:
mode:
authorRobin Jarry <robin@jarry.cc>2024-03-04 23:27:00 +0100
committerRobin Jarry <robin@jarry.cc>2024-03-10 17:28:16 +0100
commit7b8fbe2a3d7c454c030cabdf5de65b84c3383a7f (patch)
tree5e443bce66f12447241196e38f5c93a7f9a51a72 /lib/crypto/gpg/gpgbin/keys.go
parent6a84f1331f1c18dccfbe58601a4243995ac5c7d2 (diff)
downloadaerc-7b8fbe2a3d7c454c030cabdf5de65b84c3383a7f.tar.gz
gpg: fix mime-version header position
Some MTAs try to normalize the case of all headers (including signed text parts headers). Unfortunately, Mime-Version can be normalized to different casing depending on the implementation (MIME- vs Mime-). Since the signature is computed on the whole part, including its header, changing the case can cause the signature to become invalid. Due to how multipart/signed messages are constructed, we need to hack around go-message writers to intercept the writing of a text part, compute its signature and write the actual message with the proper headers. Unfortunately, go-message does not allow creating a message writer that does not insert a Mime-Version header. This causes the Mime-Version header to be inserted in the wrong place: it is put inside the signed text part header instead on the top level header. Thus, included in the signed content. Make sure to remove any Mime-Version header from the signed part header. Finally, ensure that Mime-Version is set on the top-level header so that messages are compliant with RFC 2045. Fixes: https://todo.sr.ht/~rjarry/aerc/143 Link: https://github.com/emersion/go-message/issues/165 Link: https://github.com/emersion/go-pgpmail/pull/15 Link: https://lists.sr.ht/~rjarry/aerc-devel/%3CCQRPF5EA0TF8.PEJ4AKCEGMFM%40fembook%3E Changelog-fixed: `Mime-Version` is no longer inserted in signed text parts headers. MTAs normalizing header case will not corrupt signatures anymore. Reported-by: Coco Liliace <chloe@liliace.dev> Reported-by: Kirill Chibisov <contact@kchibisov.com> Signed-off-by: Robin Jarry <robin@jarry.cc> Tested-by: Tim Culverhouse <tim@timculverhouse.com>
Diffstat (limited to 'lib/crypto/gpg/gpgbin/keys.go')
0 files changed, 0 insertions, 0 deletions